From: Adam Back <aba@dcs.ex.ac.uk>
To: ravage@einstein.ssz.com
Message Hash: f7b95347c72b0505f4d2d556efa657c31575b1008c863efdcb3d273de940cd01
Message ID: <199809221920.UAA11110@server.eternity.org>
Reply To: <199809221539.KAA04070@einstein.ssz.com>
UTC Datetime: 1998-09-22 10:15:23 UTC
Raw Date: Tue, 22 Sep 1998 18:15:23 +0800
From: Adam Back <aba@dcs.ex.ac.uk>
Date: Tue, 22 Sep 1998 18:15:23 +0800
To: ravage@einstein.ssz.com
Subject: respect due to anonymous (Re: CHALLENGE response (fwd))
In-Reply-To: <199809221539.KAA04070@einstein.ssz.com>
Message-ID: <199809221920.UAA11110@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain
Jim Choate writes:
> Anonmous writes:
> > Subject: CHALLENGE response (fwd)
>
> > The whole point of the CHALLENGE response went straight over his head,
> > didn't it?
>
> It didn't go over my head at all. What amazes me is that it took you this
> long to figure out that one could munge signatures.
Munge signatures!? He generated an RSA key pair to match the
pre-published signature based on generating primes of special form
and/or using multiple smaller primes to construct an n which he could
perform discrete logs in (plus a dead beef attack), and all you can
say is the above. You should take you hat off to anonymous.
> > No longer can you assume that just because you posted a signed message
> > on a certain date, and you hold the public key which signed that message,
> > that you can later prove authorship. It challenges some of the implicit
> > assumptions which have been made in using public key cryptography.
>
> No, it challenges basic assumptions regarding the importance of identity.
> In no way does it effect the basic math of crypto, public or otherwise.
It affects crypto: it means that one published signature is
not sufficient to provide a provable relationship between a signed
message and a public key. You have to provide two signatures.
For example anonymous provide three signatures which check with that
key (one is self sig on the key). Therefore it is not possible for
someone to do the same attack again against his published signatures:
they could match any one of the signatures, but no more.
It may even be that there exist crypto protocols affected by this.
Adam
Return to September 1998
Return to “Jim Choate <ravage@einstein.ssz.com>”